adjust text size:

How Secure Is Your Shop Computer

Locking the doors at night isn't adequate protection for your shop computer. Today, security threats can arrive via the wires connecting it to the world outside those doors.

Ten
years ago, only a few repair facilities owned computers that weren’t
dedicated to a single-purpose machine, like an alignment rack or engine
analyzer. Today, most shops have at least one. If your shop has a
computer, or is thinking about getting one, this article is for you.

Many shops now use
computers to generate repair orders, track customer history and control
inventory. Many of us have a computer-based repair information system
like MOTOR/ALLDATA or Mitchell OnDemand so we can have timely access to
wiring diagrams, code-setting criteria, technical service bulletins,
etc. Smart technicians also use the knowledge base at the International
Automotive Technicians’ Network (iATN). There are also both enthusiast-
and manufacturer-supported online resources for specific makes and
models of cars. Some of us even have our own websites or use e-mail to
reach our customers with estimates, diagnoses or updates. Clearly,
computers can increase productivity and efficiency in our shops just as
they have in the cars we service.

You’ve probably seen the
TV commercials with the message that “millions of Americans are just
asking for a computer virus.” Dave George has seen them, too. Dave has
been in the automotive service industry for 22 years and now manages the
RadAir Complete Car Care facility in Garfield Heights, Ohio. Until a few
months ago, Dave was among those millions. One day, he got what he
“asked for.” He was loading a new time clock shop management program
onto one of the six networked computers at the shop. Following the
manufacturer’s instructions, he had just logged on to the Internet to
register the program, when things suddenly spun out of control.

“At first, the computer
made a funny whirring noise,” Dave told us, “and I was connected to
another website. I tried to get back, but whatever I did, the computer
just kept switching me somewhere else. It started offering to help me
find ‘adult friends’ and going to weird places. Then the pop-ups
started.”

Dave disconnected his
computer from the Internet, but the pop-ups continued. They became more
and more explicit. Even restarting his computer didn’t slow the
onslaught. Soon his computer locked up, its screen literally covered
with sexually explicit images.

An October 2004 study of
home PCs found that about 80% had become infected with one or more
pieces of spyware (see the Glossary below), usually entirely
without their users’ knowledge. The most common source of infection was
from bundled downloads, often of free software, which included hidden
spyware or adware programs. Game software was a major source of
hidden malware.

Major Internet service
providers (ISPs) like AOL and MSN offer free antivirus/cyberspace
security solutions to their subscribers. Even so, many of those
subscribers’ PCs become or remain infected. The most common cause is
users clicking on an e-mail attachment, usually ignoring at least one
warning dialog box before doing so.

The federal government’s
policy, as delineated in its National Strategy to Secure Cyberspace, is
that, of necessity, the entire Internet’s security rests upon the
security of each individual machine connected to it. ISPs have a vested
interest in preventing and reducing virus outbreaks, yet they have
strongly resisted the idea of government regulation, arguing that
voluntary cooperation allows for greater flexibility and faster response
times to actual threats.

Former U.S. Attorney
General John Ashcroft cited a PricewaterhouseCoopers report that
estimated that U.S. businesses have spent over $300 billion (an amount
roughly equal to the national K-12 education budget) to fight hackers
and computer viruses, with costs continuing to rise. Direct aggregate
damages from a single highly infectious virus have exceeded $700
million.

Dave George’s shop spent
thousands of dollars to disinfect and protect its computer network,
eventually replacing the most-affected machine entirely. So, what
measures should you take? And how safe is “safe enough”?

Never entering sensitive
customer information into any computer that is ever connected to the
Internet is an extreme measure. This may not be practical for most of us
unless we have several computers that are not networked together. Even
then, important operating system updates often must be downloaded via
the Internet, thus violating the strict no-connection requirement.

Hardware & Software
Options

More practical approaches
include both hardware and software countermeasures. Let’s take a look at
the options.

Any Internet-capable
computer needs good antivirus software. High-speed Internet connections,
like DSL and cable, are prime targets for hackers (see “A Hacker’s View”
on page 28). At the very least, they require a hardware firewall and
recently updated antivirus software. Experts stress that each
machine should have a licensed copy of a regularly updated antivirus
program in place.

Most PCs use the
Microsoft Windows operating system. This has made both Windows and its
companion browser, Internet Explorer, prime targets for hackers. The
very knowledgeable staff at iATN recommends choosing a different
browser, such as Mozilla’s Firefox (www.mozilla.org/download.html)
or Opera (www.opera.com/) to
reduce vulnerability to many of the most malicious viruses.

Citing frequent and
serious security issues, iATN also highly recommends using e-mail
programs other than Microsoft’s Outlook and Outlook Express. You will,
however, need to keep Windows updated regularly. This, in turn,
necessitates keeping Internet Explorer up-to-date as well, since it’s
the required browser for updating Windows. If all your applications
(programs) can be run in the Linux operating system instead, you might
want to consider this option, although Linux, too, has vulnerabilities
that can be (and often are) exploited. Most of us, however, have at
least one program requiring the Windows operating system, so Linux may
not a viable alternative.

If you’re going to be
entering truly sensitive customer data like credit card numbers, you may
wish to use an encrypted hard drive. All files containing such
information should be password-protected, at the minimum. If your
computer is part of a network, especially a wireless network, such files
should not be accessible from other workstations. A government study
reported an estimated 60% of all computer attacks go undetected. Other
sources suggest that most unprotected computers become infected with at
least one virus within ten minutes of being connected to the Internet
for the first time via cable, DSL or high-speed wireless connection.

General ledger accounting
programs, such as Peachtree and QuickBooks, are in widespread use for
accounting, billing and checking applications. Shop owners should be
aware that not only might customer data be vulnerable to outside hackers
who gain access to such a program’s files, but also even the shop’s own
checking account and merchant services (credit card processing)
information may be at risk. Specialized programs geared to the auto
repair industry are not widely distributed and may therefore be less
likely targets for attack. Still, almost any program is vulnerable to a
determined attacker. Once hacked in any guise, such programs become
favored targets for widespread attacks until appropriate countermeasures
are deployed.

Dr. Peter Tippett is the
co-originator of the Vaccine software, which later became the well-known
Norton AntiVirus. Dr. Tippett is now a White House advisor on computer
security issues and a former advisor to the Pentagon Joint Chiefs. He
believes there is clear evidence that organized crime is a major
perpetrator of money-making attacks on U.S. businesses and consumers.
Dr. Tippett suggests that seeking a perfect defense against all attacks
is futile. Instead, he advises smart users to adopt a “layered approach”
to security. At the very least, he recommends these five steps:

Turn off idle services,
channels or ports connected to the Internet.

Block all
non-business-related attachments at the Internet gateway.

Use screensaver
passwords.

Regularly conduct basic
Information Technology training for all employees who have computer
access.

Update your antivirus
software overnight and at lunchtime each day.

Dr. Tippett advises these
additional common-sense measures:

Never open unexpected
attachments, even if the sender is someone you know (malicious hackers
often “spoof” return addresses).

Never open any
executable file (usually, but not always, ending in .exe .vbs or .scr)
from an unfamiliar source.

Dave George used to think
all he had to worry about was protecting his company data from outside
attackers. Now he knows better.

It seems like what these
hackers are really after is to put their product onto your machine,” he
says. “They just want to get you onto their websites.”

His system now receives a
monthly maintenance checkup. He updates his antivirus software daily and
makes daily backups of his system to an external drive.

One night late last year,
a student came up to me during a class break and complained that he
couldn’t access the iATN at work. The problem, he explained, was that
the shop’s office manager adamantly refused to allow any Internet access
whatsoever, since a previous disaster sparked by an online virus had
locked up all systems on their five networked computers for weeks. The
damage had finally been repaired, but there would be no exceptions, even
for a resource as important as iATN.

As to my student’s
problem of Internet access, I recommended that one of the shop’s five
computers be taken off the network and be allowed to access the Internet
independent of the others. He countered that it needed to be on the
network to share a printer, but at prices around $100, the benefits of
purchasing a new dedicated printer would far outweigh the risks of a
repeat infection bringing down the entire shop network. If his shop uses
a broadband (DSL or cable modem) connection, it would be possible to
configure the firewall gateway only to specified sites, such as

www.iatn.net,

www.motoralldata.com,

www.alldata.com or

www.ondemand5.com.

Only the
system administrator should be given authority to expand the list of
permissible sites. This would prevent a repeat outbreak and result in a
win-win situation.

To quote the iATN staff,
“Keeping your computer safe from viruses and hackers can be summed up
quite simply:

Keep the Internet
separated from your computer network as much as possible.

Prevent other computers
from having access to your files as much as possible.

Keep your operating
system and programs up-to-date with security patches and upgrades.

Don’t implicitly trust
anything you receive from the Internet (no matter who it comes from).

Always virus-scan all files that come from the Internet or other
sources.”